What can you do?
While difficult, preventing and detecting these threats aren’t impossible. Start by focusing on using multiple layers of security. At the bare minimum, you’ll want:
- Patch management: Closing vulnerabilities plays a major role in stopping all kinds of attacks. LotL attacks are no exception. If a vulnerability exists in a Windows admin tool, criminals can launch automated attacks seeking to exploit that vulnerability and hijack the Windows tool. As always, patch regularly and automate as much of this as you can.
- Email security: Many LotL attacks start via emails with attached weaponized documents. This makes email security essential for preventing these attacks from sneaking their way onto one of your managed endpoints. SolarWinds® Mail Assure is designed to prevent incoming email threats and uses collective intelligence from its user base to protect you against active attacks reported across the world.
- Web protection: Email isn’t the only delivery mechanism. A malicious website could lead to a drive-by download of a malicious file or script. Getting a good web protection and filtering tool can help cut down on these attacks.
- Secure credential management: Don’t make it easy for cybercriminals by allowing your technicians to fall into poor password habits. That means no weak passwords, no plain-text storage in spreadsheets, and no Post-it notes under the keyboard. Instead, use a password manager to keep credentials strong, fresh, and secure. SolarWinds Passportal is built to help MSPs generate and securely store strong passwords, and grant or revoke access quickly if needed. Plus, Passportal offers encryption both in transit and at rest, as well as multifactor authentication (MFA) and role-based permissions.
- AI-driven endpoint protection: If you have a LotL attack in one of your managed environments, the only real way to detect them involves using artificial intelligence and machine learning. An AI-driven endpoint protection solution, such as SolarWinds Endpoint Detection and Response (EDR), powered by SentinelOne, can establish a baseline of behavior on a machine and alert you to suspicious anomalies, such as an attempt to reach out to another machine on a network or delete files en masse.
- User and network access segmentation: Finally, try to set up environments to limit the potential damage if an attack does occur. For starters, adhere closely to the principle of least privilege. Keep users on a need-to-use basis when it comes to data access so if an account or machine does become compromised, you can limit the fallout. Additionally, architect your networks to help look for and prevent lateral movement as criminals attempt to reach out and compromise other machines. This could hopefully prevent a small compromise from becoming a large one.
LotL attacks can get through even the best-laid defenses. And with known APT groups focusing on MSPs, LotL attacks represent a massive danger to your business. So you’ll need to know how best to detect one of these threats if you’re under active attack.
As mentioned before, detecting these attacks requires AI-driven behavioral analysis to note unusual, suspicious behavior within an environment. SolarWinds EDR is built to help detect threats like these and alert you in near real time. You can get full reports on potential threats and even view attack timelines to help you better understand if you’re under attack or facing a false alarm. Plus, you can set up policies to have SolarWinds EDR spring into action if it does detect a potential threat.
SolarWinds EDR integrates with SolarWinds RMM, so you can use it from the same platform you use to support your customers. Learn more here or see it in action by requesting a free demo of SolarWinds EDR today.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.